SMALL BUSINESS / START-UPS
SMALL BUSINESS / START UPS
I have limited time and budget; how do I get started?
Cyber security should now be a major concern of any small business owner that collects customer’s data including personal information like date of birth, where they live, any health records, or credit card information. A cyber security threat can range from being merely inconvenient to life-threatening, or can cause your business to go out of business.
When it comes to data breach prevention, what you don’t know can hurt you. Your start up company or small business faces cyber risks daily – whether you’re fending off internal threats or enhancing protection against external intrusions. At POWERNET, we apply years of cyber security assessment & prevention expertise in helping you identify potential vulnerabilities and implement sound data breach prevention practices for effectively securing your sensitive information.
QUESTION: How well are you balancing your need to lock down data with tighter security controls, while providing your team with practically effortless access to the information that drives your success? You can never be sure of your security stance unless you’re conducting periodic security assessments.
Small businesses owners need to make sure that not only are their networks secured, but also their mobile devices, and any digital applications that they use in the daily running of business operations. Gone are the days where you could install a firewall program or require just a password to grant access to the company’s network. Small businesses need to have a comprehensive cyber security program in place or utilize a third-party company to do it for them.
If you’re a small business owner, you’ve probably already faced these challenges when trying to increase your cyber security:
- The struggles of managing a business in all its aspects, which leaves little resources for cyber security safeguards;
- The reality of storing and managing data that’s very attractive for cyber criminals, such as personal information, usernames, passwords, and more;
- The fact that small and medium businesses are more interconnected than ever, with owners and employees using a vast array of devices and digital services to manage and grow the business;
- A permissive environment in terms of BYOD (Bring Your Own Device) policies, which can increase the number of security vulnerabilities;
- The lack of time, budget and expertise to build a strong security system, a task which is often outsourced to unqualified service providers (because you may lack the knowledge of evaluation this type of services);
- The fact that cyber security education, even in its most basic form, is not something people are generally concerned with;
- Being regarded as a stepping stone by cyber criminals, who could use you to reach bigger targets.
And we know it’s not your fault. Cyber Security is a challenging field and you’ve probably already seen that even big companies suffer from data breaches and cyber attacks, and they have a lot more resources than you. But the numbers show that your small business is more vulnerable to attack than you may realize, because of the issues above and many more. Cyber Security is a concern for businesses of all sizes, but small and midsize businesses (SMBs) are particularly vulnerable. SMBs were victim to 60 percent of all cyber attacks in 2014, according to a 2015 Internet Security Threat Report, and that trend is expected to continue.
What Can I do?
SMBs may not fully appreciate their Internet risk exposure, nor have the time, money or expertise to invest in the sophisticated technologies and internal programs that their big business counterparts are able to afford. But there are steps SMBs can take to improve security and mitigate their potential financial loss even with a limited budget. These three controls are a good place to start.
- Build a Security-aware Organization
Cyber security isn’t just about preventive technology; it requires the awareness and participation of everyone within the organization. A top-down approach, beginning with policies and procedures that are sanctioned by the business owner or a team of senior managers, conveys to employees the importance of information security and the need for their collective effort to protect the company’s assets.
- A written information security plan that identifies the organization’s security policies, goals and priorities. At a minimum, at POWERNET, we set forth policies for network security; use of company email, social media, instant messaging and the Internet in general; the handling of proprietary company information; and activities that are prohibited on company-owned devices, networks and other resources.
- Many state regulators request written information security plans when investigating organizations that have experienced a security breach. Having a plan in place not only establishes internal policy for employees, it can also demonstrate to regulators and customers that security is a priority for the organization.
- An inventory of the business’s core assets and sensitive data, where it is stored and who within the organization has the authority to access it. Include personally identifiable information (PII) for employees and customers (such as social security numbers, healthcare records, credit card numbers, etc.), bank account data, company intellectual property and any other information that could damage the business if it got into the wrong hands.
- Access control. Limit access to computers, company networks and confidential data based on an employee’s need to know.
- Employee training programs. Workplace security depends upon a workforce that is trained in company protocol, alert to the signs of a potential breach and knows how to respond. POWERNET can provide the training on basic security practices and policies which is essential. Phishing awareness exercises can further help employees recognize and avoid email, websites and phone calls that are designed to infiltrate company systems or steal personal information.
- Establish Security Safeguards
The following baseline measures are recommended to help safeguard SMBs’ sensitive data from unauthorized access and use:
- Encryption for laptops, desktops and mobile devices. Encryption encodes information so that only the person (or computer) with the key can decode it. While it is not a full security solution, encryption remains highly recommended for all devices, especially those that contain sensitive information. Most newer model mobile phones and tablets come with auto-encryption software pre-installed. Many privacy and consumer protection statutes also recognize the importance of encryption in protecting customers’ information and provide safe harbors within the statutes to incentivize businesses to adopt the control.
- Cloud service providers. Outsourcing security management to cloud-based providers is an increasingly viable alternative to an in-house security program. Cloud providers offer expertise in identity and vulnerability management that the SMB needs but often lacks while helping to lower the SMB’s operating costs. However, SMBs should negotiate with providers to ensure they get the security and privacy services that best serve their company’s protection needs.
- Password protection and authentication controls Passwords are the primary means for controlling access to sensitive data resources. Change default passwords and require complex passwords with a variety of types of characters that must be changed every 90-120 days. Multi-factor authentication may be required depending on the type of data being accessed or the source (such as remote users).
- VPN (virtual private network) for remote access. For organizations with remote users, VPN provides a secure channel through the Internet to the SMB’s private network. VPN controls include encryption of all data that is transmitted over the channel, multi-factor authentication, strong passwords and automatic timeouts after a period of inactivity.
- Vendor security. SMBs need assurance that any vendors with which they share company information makes security a priority. Before entrusting your data to a third party, get in writing the vendor’s specific controls for protecting sensitive information and augment them with additional controls if necessary. Also require the vendor to return or destroy all sensitive information upon termination of the contract.
- Prepare for the Worst, Hope for the best!
A security breach is a near certainty for businesses today – more a matter of when, not if, one will occur. For SMBs, preparedness is key to surviving the fallout. An incident response plan (IRP) prescribes the way a business will respond to and manage the effects of a security attack. Its goal is to limit the damage and reduce recovery time and costs. All SMBs should prepare an IRP that includes the following components:
- Identification of an incident response team like POWERNET, at minimum, security staff who are system-savvy and a manager authorized to make decisions on behalf of the business
- Clear delineation of possible incidents (such as unauthorized access or malicious code) and how to identify and contain them based on the business impact (confidential customer data vs. intellectual property)
- Procedures for eradicating the root cause of the attack and all traces of malicious code, restoring data and software, and monitoring systems for any remaining signs of weakness
Find an Insurance Carrier that Provides More than Just Coverage
At POWERNET, we will help you for free find a great insurance carrier. Always work with your insurance carrier to ensure that any procedural requirements for coverage are integrated into your final plan. Having appropriate cyber insurance coverage is just as important as having best practice-based policies and procedures in place. Partnering with the right insurance carrier can help SMBs proactively improve their cyber security posture and reduce financial losses. Experienced carriers need to provide full breach risk management solutions to help SMBs prevail in the face of an inevitable security event.
POWERNET will work with owners and executive teams to help you be proactive against your cyber security risks. POWERNET has both hourly and retainer contract rates, if you are interested in our services, feel free to call us at our offices at 256-489-8425 with the type of service you need, or just fill out this form.